<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Brendan Taylor:
<blockquote
cite="mid:20080308014931.GU2918@nyarlathotep.necronomicorp.com"
type="cite">
<pre wrap="">On Fri, Mar 07, 2008 at 10:18:10AM -0800, Johnny Bufu wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Perhaps you should explain why your assumption (user-supplied id ==
claimed_id) should superceed the spec (condidering that without it
the spec stands).
</pre>
</blockquote>
<pre wrap=""><!---->
This is *not* assumed. The user-supplied ID doesn't come into it at all.
The claim is that a 303 is a special case, and that ID normalization should
end when it receives one. (of course, the redirect still needs to be
followed for discovery)
Example:
<a class="moz-txt-link-freetext" href="http://example.org/me">http://example.org/me</a> 301 redirect to <a class="moz-txt-link-freetext" href="http://example.org/bct">http://example.org/bct</a>
<a class="moz-txt-link-freetext" href="http://example.org/bct">http://example.org/bct</a> 303 redirect to <a class="moz-txt-link-freetext" href="http://example.org/about.html">http://example.org/about.html</a>
<a class="moz-txt-link-freetext" href="http://example.org/about.html">http://example.org/about.html</a> 301 redirect to <a class="moz-txt-link-freetext" href="http://example.org/about">http://example.org/about</a>
<a class="moz-txt-link-freetext" href="http://example.org/about">http://example.org/about</a> 200 OK with content that discovery can be
performed on
if the user enters <a class="moz-txt-link-freetext" href="http://example.org/me">http://example.org/me</a> or <a class="moz-txt-link-freetext" href="http://example.org/bct:">http://example.org/bct:</a>
currently: claimed identifier = <a class="moz-txt-link-freetext" href="http://example.org/about">http://example.org/about</a>
proposed: claimed identifier = <a class="moz-txt-link-freetext" href="http://example.org/bct">http://example.org/bct</a>
if the user enters <a class="moz-txt-link-freetext" href="http://example.org/about.html">http://example.org/about.html</a> or <a class="moz-txt-link-freetext" href="http://example.org/about:">http://example.org/about:</a>
both cases: claimed identifier = <a class="moz-txt-link-freetext" href="http://example.org/about">http://example.org/about</a>
</pre>
<pre wrap="">
</pre>
</blockquote>
The underlying semantics of http has nothing to do with the actual ID.
Even if <a class="moz-txt-link-freetext" href="http://example.org/about">http://example.org/about</a>
returns 200 OK, this doesn't have to be the actual ID, instead the OP
can return also something completely else to the RP like
<a class="moz-txt-link-freetext" href="http://me.otherdomain.net/">http://me.otherdomain.net/</a> for <a class="moz-txt-link-freetext" href="http://example.org/about">http://example.org/about</a>. As Johnny
stated above: user-supplied id != claimed_id<br>
<br>
It's the job of the OP to know what he's doing with each redirect and
not lose the information he is required to know in order to
successfully authenticate. Actually I think we shouldn't care at all
about how many and which redirects an OP might perform since it doesn't
have any meaning to OpenID (except secure transport layer of course).<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>Jabber: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Phone: </td>
<td>+1.213.341.0390</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>